From e3219df59b8dfbc30bc7724b64fa77c09004acce Mon Sep 17 00:00:00 2001 From: Peter Rugg Date: Mon, 22 Jan 2024 13:46:29 +0000 Subject: [PATCH 1/8] Fix minor nits --- src/cheri-pte-ext.adoc | 2 +- src/instructions.adoc | 2 +- src/riscv-integration.adoc | 8 ++++---- src/riscv-legacy-integration.adoc | 2 +- 4 files changed, 7 insertions(+), 7 deletions(-) diff --git a/src/cheri-pte-ext.adoc b/src/cheri-pte-ext.adoc index 62a478dc..83234867 100644 --- a/src/cheri-pte-ext.adoc +++ b/src/cheri-pte-ext.adoc @@ -55,7 +55,7 @@ to manage the CD bit are permitted: instruction is executed, the <> grants store capability permission, the tag bit of the capability being written is set and the address written corresponds to a virtual page with the CD bit clear. -* When a capability store or AMO instruction is execute, the <> grants store +* When a capability store or AMO instruction is executed, the <> grants store capability permission, the tag bit of the capability being written is set and the store address corresponds to a virtual page with the CD bit clear, the implementation sets the corresponding bit in the PTE. The PTE update must be diff --git a/src/instructions.adoc b/src/instructions.adoc index e8a78395..d4fa5c25 100644 --- a/src/instructions.adoc +++ b/src/instructions.adoc @@ -17,7 +17,7 @@ jumps and conditional branches is bounds checked against <> regardless of CHERI execution mode NOTE: Not all RISC-V extensions have been checked against CHERI. Compatible -extensions, will eventually be listed in a CHERI profile. +extensions will eventually be listed in a CHERI profile. <<< === "Zcheri_purecap", "Zcheri_legacy" and "Zcheri_mode" Extensions for CHERI diff --git a/src/riscv-integration.adoc b/src/riscv-integration.adoc index 1616e918..32dde907 100644 --- a/src/riscv-integration.adoc +++ b/src/riscv-integration.adoc @@ -117,7 +117,7 @@ output tag is always 0 * <>: bitwise AND of a mask value with a bit map representation of the architectural (AP) and software-defined (SDP) permissions fields * <>: set the base and length of a capability. The tag is -cleared, if the encoding cannot represents the bounds exactly +cleared, if the encoding cannot represent the bounds exactly * <>: set the base and length of a capability. The base will be rounded down and/or the length will be rounded up if the encoding cannot represent the bounds exactly @@ -177,7 +177,7 @@ The indirect jump and link <> (<>) instruction allows uncondition jumps to a target address. The target address is provided in an *x* register; the new address is installed in the address field of the <>. The address of the instruction following the jump (*pc* + 4) is written to an *x* register. -<> causes an exceptions when a minimum sized instruction at the +<> causes an exception when a minimum sized instruction at the target address is not within the bounds of the <> or the target address is misaligned. @@ -1057,7 +1057,7 @@ NOTE: `auth_cap` is <> for Legacy mode and `cs1` for Capability Mode | all stores, all atomics, all cbos | {cheri_excep_mcause} | {cheri_excep_type_data} | {cheri_excep_cause_seal} |`auth_cap` seal | isCapSealed(`auth_cap`) | all atomics, all cbos | {cheri_excep_mcause} | {cheri_excep_type_data} | {cheri_excep_cause_perm} |`auth_cap` permission | AMO only: not(`auth_cap`.<>) | all stores, all atomics, all cbos | {cheri_excep_mcause} | {cheri_excep_type_data} | {cheri_excep_cause_perm} |`auth_cap` permission | not(auto_cap.<>) -| all stores, all atomics | {cheri_excep_mcause} | {cheri_excep_type_data} | {cheri_excep_cause_length} |`auth_cap` length | any byte of access^!^ out of `auth_cap` bounds +| all stores, all atomics | {cheri_excep_mcause} | {cheri_excep_type_data} | {cheri_excep_cause_length} |`auth_cap` length | any byte of access^1^ out of `auth_cap` bounds | capability stores, all atomics |6 | N/A | N/A |Misaligned store/AMO| Misaligned capability store or AMO |========================================================================================= @@ -1112,7 +1112,7 @@ invalid addresses. Prior to writing these CSRs, implementations may convert an invalid address into some other invalid address that the register is capable of holding. However, these registers hold capabilities in {cheri_base_ext_name} and the bounds encoding depends on the address value, so implementations must -not convert invalid addresses to other arbitrary invalid address in an +not convert invalid addresses to other arbitrary invalid addresses in an unrestricted manner. The following procedure must be used instead when writing a capability A to these CSRs: diff --git a/src/riscv-legacy-integration.adoc b/src/riscv-legacy-integration.adoc index 6a1475fa..a484c2b6 100644 --- a/src/riscv-legacy-integration.adoc +++ b/src/riscv-legacy-integration.adoc @@ -142,7 +142,7 @@ address of the instruction following the jump (*pc* + 4) is written to an *x* register; that register's tag and capability metadata are zeroed. <> and <> cause CHERI exceptions when a minimum sized instruction -at the target address are not within the bounds of the <>. An +at the target address is not within the bounds of the <>. An instruction address misaligned exception is raised when the target address is misaligned. From 003263bd9ba0d39a52831520a81aec5caa4cfe7d Mon Sep 17 00:00:00 2001 From: Peter Rugg Date: Mon, 22 Jan 2024 13:46:44 +0000 Subject: [PATCH 2/8] Fix confusing wording about CW I think this is what was intended --- src/cheri-pte-ext.adoc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/cheri-pte-ext.adoc b/src/cheri-pte-ext.adoc index 83234867..515fc645 100644 --- a/src/cheri-pte-ext.adoc +++ b/src/cheri-pte-ext.adoc @@ -43,8 +43,8 @@ clears the tag bit of the capability written to a virtual page with the CW bit clear. NOTE: The implementation of the CW bit does not force a dependency on the tag -bit's value of the capability written, so implementations must support this -feature. +bit's value of the capability written, so implementations are not required +to this feature. The CD bit indicates that a capability with tag set has been written to the virtual page since the last time the CD bit was cleared. Implementations are From a2fbf771f48413ad029dcd75937c1acef89fa25b Mon Sep 17 00:00:00 2001 From: Franz Fuchs Date: Mon, 22 Jan 2024 14:18:06 +0000 Subject: [PATCH 3/8] Fixed unclear formulation about x and c registers --- src/riscv-integration.adoc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/riscv-integration.adoc b/src/riscv-integration.adoc index 32dde907..366f0e9a 100644 --- a/src/riscv-integration.adoc +++ b/src/riscv-integration.adoc @@ -32,8 +32,8 @@ where address 2^XLENMAX^ - 1 is within the bounds. === Programmer's Model for Zcheri_purecap For {cheri_base_ext_name}, the 32 unprivileged *x* registers of the base -integer ISA are extended so that they are able to hold a capability. Therefore, -each *x* register is CLEN bits wide and has an out of band tag bit. The *x* +integer ISA are extended so that they are able to hold a capability as well as renamed to *c* registers. Therefore, +each *c* register is CLEN bits wide and has an out of band tag bit. The *x* notation refers to the address field of the capability in an unprivileged register while the *c* notation is used to refer to the full capability (i.e. address, metadata and tag) held in the same unprivileged register. From c02605f5beec2d6db350bd0e9da9ba77be3d8ca0 Mon Sep 17 00:00:00 2001 From: Franz Fuchs Date: Mon, 22 Jan 2024 14:31:12 +0000 Subject: [PATCH 4/8] Corrected register name for c.mv instruction --- src/insns/cmove_cmv_16bit.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/insns/cmove_cmv_16bit.adoc b/src/insns/cmove_cmv_16bit.adoc index 34247af1..f480ed2d 100644 --- a/src/insns/cmove_cmv_16bit.adoc +++ b/src/insns/cmove_cmv_16bit.adoc @@ -27,7 +27,7 @@ Encoding:: include::wavedrom/c_mv.adoc[] Capability Mode Description:: -Capability register cd is replaced with the contents of cs1. +Capability register `cd` is replaced with the contents of `cs2``. Legacy Mode Description:: Standard RISC-V C.MV instruction. From 0fd71773349dd0b70021acd780097148302dbdea Mon Sep 17 00:00:00 2001 From: Franz Fuchs Date: Mon, 22 Jan 2024 16:06:08 +0000 Subject: [PATCH 5/8] fixed backticks in c.mv --- src/insns/cmove_cmv_16bit.adoc | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/src/insns/cmove_cmv_16bit.adoc b/src/insns/cmove_cmv_16bit.adoc index f480ed2d..71e384ff 100644 --- a/src/insns/cmove_cmv_16bit.adoc +++ b/src/insns/cmove_cmv_16bit.adoc @@ -12,22 +12,22 @@ Synopsis:: Capability move (C.MV, C.CMOVE), 16-bit encoding Capability Mode Mnemonic:: -c.cmove cd, cs2` +c.cmove cd, cs2 Capability Mode Expansion:: -cmove cd, cs2` +cmove cd, cs2 Legacy Mode Mnemonic:: -c.mv rd, rs2` +c.mv rd, rs2 Legacy Mode Expansion:: -add rd, x0, rs2` +add rd, x0, rs2 Encoding:: include::wavedrom/c_mv.adoc[] Capability Mode Description:: -Capability register `cd` is replaced with the contents of `cs2``. +Capability register `cd` is replaced with the contents of `cs2`. Legacy Mode Description:: Standard RISC-V C.MV instruction. From 5d2f350f97668dfb3055f68c36e00ac0dc16b31f Mon Sep 17 00:00:00 2001 From: Franz Fuchs Date: Mon, 22 Jan 2024 16:11:43 +0000 Subject: [PATCH 6/8] Added word to make clear that this refers to register 0 --- src/insns/zcmp_cmpopretz.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/insns/zcmp_cmpopretz.adoc b/src/insns/zcmp_cmpopretz.adoc index 5c33fe62..57a39962 100644 --- a/src/insns/zcmp_cmpopretz.adoc +++ b/src/insns/zcmp_cmpopretz.adoc @@ -9,7 +9,7 @@ See <> and cite:[riscv-code-size-spec]. ==== CM.CPOPRETZ Synopsis:: -Destroy stack frame (CM.CPOPRETZ, CM.POPRETZ): load the return address register and 0 to 12 saved registers from the stack frame, deallocate the stack frame. Move zero into argument register zero. Return through the return address register. 16-bit encodings. +Destroy stack frame (CM.CPOPRETZ, CM.POPRETZ): load the return address register and register 0 to 12 saved registers from the stack frame, deallocate the stack frame. Move zero into argument register zero. Return through the return address register. 16-bit encodings. Capability Mode Mnemonic:: `cm.cpopretz \{creg_list\}, -stack_adj` From 147f3d417ad0742e905ce4a5c8fe5a285ec33e18 Mon Sep 17 00:00:00 2001 From: Franz Fuchs Date: Mon, 22 Jan 2024 16:14:28 +0000 Subject: [PATCH 7/8] honour the text wrapping --- src/riscv-integration.adoc | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/src/riscv-integration.adoc b/src/riscv-integration.adoc index 366f0e9a..3e085da0 100644 --- a/src/riscv-integration.adoc +++ b/src/riscv-integration.adoc @@ -32,11 +32,12 @@ where address 2^XLENMAX^ - 1 is within the bounds. === Programmer's Model for Zcheri_purecap For {cheri_base_ext_name}, the 32 unprivileged *x* registers of the base -integer ISA are extended so that they are able to hold a capability as well as renamed to *c* registers. Therefore, -each *c* register is CLEN bits wide and has an out of band tag bit. The *x* -notation refers to the address field of the capability in an unprivileged -register while the *c* notation is used to refer to the full capability (i.e. -address, metadata and tag) held in the same unprivileged register. +integer ISA are extended so that they are able to hold a capability as well +as renamed to *c* registers. Therefore, each *c* register is CLEN bits wide +and has an out of band tag bit. The *x* notation refers to the address field +of the capability in an unprivileged register while the *c* notation is used +to refer to the full capability (i.e. address, metadata and tag) held in the +same unprivileged register. Register *c0* is hardwired with all bits, including the capability metadata and tag, equal to 0. In other words, *c0* is hardwired to the <> From 264a106f7f72e489baadb62c16f039e37396029c Mon Sep 17 00:00:00 2001 From: Peter Rugg Date: Tue, 23 Jan 2024 17:42:33 +0000 Subject: [PATCH 8/8] Fix misunderstanding CW mandatory implementation --- src/cheri-pte-ext.adoc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/cheri-pte-ext.adoc b/src/cheri-pte-ext.adoc index 515fc645..b770c579 100644 --- a/src/cheri-pte-ext.adoc +++ b/src/cheri-pte-ext.adoc @@ -43,8 +43,8 @@ clears the tag bit of the capability written to a virtual page with the CW bit clear. NOTE: The implementation of the CW bit does not force a dependency on the tag -bit's value of the capability written, so implementations are not required -to this feature. +bit's value of the capability written, so implementations must support the CW +bit. The CD bit indicates that a capability with tag set has been written to the virtual page since the last time the CD bit was cleared. Implementations are